diff --git a/src/ssl.c b/src/ssl.c
index 5999bb5fd..d4fcaa0ba 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -3456,6 +3456,9 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
 
     headerEnd += XSTRLEN(header);
 
+    if ((headerEnd + 1) >= bufferEnd)
+        return SSL_BAD_FILE;
+
     /* eat end of line */
     if (headerEnd[0] == '\n')
         headerEnd++;